With several high-profile cyber security breaches in the news, directors should be on high alert to protect their organisation from becoming the next victim.

To help directors meet their cybersecurity obligations, the Australian Institute of Company Directors (AICD) released the Cyber Security Governance Principles.

What are the Cyber Security Governance Principles?

The Cyber Security Governance Principles offer directors a framework of best-practice guidelines that help directors oversee and manage their organisation’s cybersecurity risk.

The Cost of Lacklustre Cyber Security Measures

A study by the United States Security and Exchange Commission found that 60% of small to medium enterprises go out of business within six months of a cyber-attack.

And as we have seen recently with the Optus cybersecurity breach, cyber-attacks have an extremely negative impact on an organisation’s reputation, even if the organisation is strong enough to survive.

Therefore, organisations of any size can’t afford the long-term damage of a cyber-attack.

In this article, we unpack the AICD’s guide and recommendations to give you clarity on your cybersecurity obligations (and that of your organisation).

The Cyber Security Governance Principles

1. Set clear roles and responsibilities

An essential component of setting up cyber security protocols is establishing a cybersecurity team within your organisation – with each member having a clearly defined role and responsibility.

The cybersecurity team will be responsible for engaging with management and keeping the board informed on cybersecurity measures and trends. Within that team, there should be a clear line of management responsibility for cyber security.

It’s also vital that board members regularly include cyber risk and strategy in their agendas. Boards should also review their skills annually to ensure that directors have a minimum understanding of cyber security risk.

External experts also play critical roles in maximising the cybersecurity team’s capabilities. External experts can provide advice and assurance to boards and identify areas for improvement. They can also help establish policies that will assist with implementing a cyber security framework. An external review and validation of an organisation’s cyber risk controls and strategy are essential to a robust cyber security policy.

When reporting to the board on cyber risks, ensure your reporting is easy to digest – free of excessive jargon and technical terms.

2. Develop, implement and evolve a comprehensive cyber strategy

A cyber strategy, overseen by the board of directors and implemented by management, can identify opportunities for an organisation to build cyber resilience — thus proactively addressing threats.

A cyber strategy should exist in the form of a formal document. A robust cyber strategy includes the following:

  • Identifying the key digital assets and data of an organisation—and who has access to them;
  • Considering the impact of third-party suppliers: Both in terms of their importance and their potential risks;
  • A data governance framework that outlines how your organisation collects holds, protects, and ultimately destroys data; and
  • A process for assessing and ensuring the cyber security controls of suppliers, vendors, and other relevant stakeholders.

Finally, your organisation’s cyber strategy and risk controls must be subject to internal and external evaluation. As cyber security threats constantly evolve, your plan to mitigate the risk of a security breach should also evolve.

3. Embed cyber security in existing risk management practices

While cyber security is a hot-button issue for organisations, it is important to remember that cyber risk is yet another risk (albeit a significant one) that should fall under your organisation’s existing risk management plan.

And as with other risks, the board should regularly assess the effectiveness of their cyber controls to ensure they match the ever-evolving nature of cyber threats.

And even though you cannot reduce your cyber risk to zero, there are several accessible and low-cost ways that all organisations can protect themselves.

Cyber security should be in the fabric of your organisation. Organisations often make the mistake of relying on the cybersecurity controls of their service providers. Over-reliance on external experts means you are underprepared internally if something were to go wrong.

4. Promote a Culture of “cyber resilience”

 Creating a culture of cyber resilience involves regular, relevant training of key staff in your organisation – including specific training for directors.

Cyber security training should involve simulated cyber-attack exercises that ensure that your team has the playbook and “match-fitness” to respond to a breach.

Furthermore, your organisation’s leaders should reinforce the importance of cybersecurity and “cyber resilience” to all staff. Without reinforcement from leadership, many staff see cyber security as an issue for frontline staff to manage and, therefore, not their problem.

To that end, it is vital your organisation’s leaders “walk the walk” by actively engaging with all aspects of your organisation’s cyber security processes and procedures.

As staff buy-in to cyber resilience is a top-down exercise, your organisation must include cyber security considerations in key leaders’ job descriptions and KPIs

5. Prepare for a cyber attack

Underpinning your organisation’s cyber security measures should be the adage: “Prepare for the worst, expect the best”.

And in preparing for the worst, your organisation must prepare for a significant cyber attack.

As mentioned above, your leadership team must fully prepare your staff for the possibility of a cyber-attack by conducting a range of simulation exercises. These training drills will ensure all staff are fully aware of their roles and responsibilities during a breach.

It is imperative to document processes and lessons from these simulation exercises. Documentation ensures your organisation systemises effective responses – and the resulting blueprints will help to alleviate the additional pressure of a real-life attack.

Furthermore, your organisation needs a pre-determined crisis communications strategy so that you are in a position to deliver timely, relevant communication to stakeholders in the event of a breach. Clear, transparent communications with all key stakeholders can help mitigate the reputational damage of a significant cyber-attack – boosting your prospects of a speedy recovery.


Given the cost of a cyber-attack and its looming, ever-evolving threat, your organisation must have a cyber security policy. And to give yourself the best possible protection, the policy must consider the cyber security governance measures.

Our expert technology and compliance lawyers can assist with developing a comprehensive cyber security policy that offers your organisation maximum protestation from cyber threats.


Get in contact with us to find out more and see how we can help your organisation.

Interested to find out more? Feel free to contact us today.